Table of Contents

SMTP authentication and Postfix

Introduction

The original idea of this page was a quick and dirty howto on how to setup SMTP authentication on Postfix. However, it turned out that there was no quick way to achieve what I wanted (encrypted passwords over an unencrypted link, using Courier IMAP as the password database). It also turned out that I was running a non-standard Postfix (it wasn't chrooted). Therefore, as SMTP AUTH and SASL have always been something of a black art to me, I have written a few things down that I have discovered, as well as a quick and dirty howto on setting up a basic SASL database.

The first thing I should recommend is that one of the easiest way to achieve SMTP authentication is to authenticate against an IMAP server, and that Dovecot (or so I have read) is the easiest way to get up and running. As it is, I am running Courier, and didn't have the time to migrate, although I will certainly consider it in the future.

If you can't do the above, read on!

SASL comes in 2 flavours: an authentication daemon (saslauthd) that can authenticate against a variety of sources (including IMAP and a passwd file) and a library that can be used to authenticate against a single file database. My aim was to setup the daemon to authenticate against my IMAP server (which was easy to set up, see below), but it transpired that saslauthd does not support either CRAM-MD5 or DIGEST-MD5, meaning that the authentication from a client would be done in near-as plain text over the internet, which is far from ideal. I therefore opted for the sasldb2 database, which again was fairly easy to setup, but requires its own set of users to be created.

Sasldb2 database

Quick and dirty instructions on setting up Postfix authentication against a SASL database.

Install SASL libraries:

apt-get install libsasl2
apt-get install sasl2-bin (is this needed?)

Edit /etc/postfix/main.cf and add the following lines:

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname

Add permit_sasl_authenticated to smtpd_recipient_restrictions

You will also need to add permit_sasl_authenticated to smtpd_client_restrictions if using a DNS blacklist (otherwise the client sending will be rejected regardless if sending from a dialup network).

Edit /etc/postfix/sasl/smtpd.conf:

pwcheck_method: auxprop
mech_list: CRAM-MD5 DIGEST-MD5

Setup the SASL database file, changing realm.domain.com to $myhostname in the postfix main.cf:

saslpasswd2 -c -u realm.domain.com -a smtpauth username

Allow postfix to access the database:

chown postfix.sasl /etc/sasldb2

Reload postfix and test!

postfix reload

saslauthd and IMAP authentication

Quick and dirty instructions on setting up Postfix authentication against the SASL daemon. Note that this will not work for CRAM-MD5 or DIGEST-MD5 (you will get the cryptic error message “SASL authentication failure: no secret in database”).

Install SASL libraries and auth daemon:

apt-get install libsasl2-2
apt-get install sasl2-bin

Edit /etc/postfix/main.cf and add the following lines:

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname

Add permit_sasl_authenticated to smtpd_recipient_restrictions, or if it doesn't exist, add smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

Edit /etc/postfix/sasl/smtpd.conf:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Edit /etc/default/saslauthd (rimap means authenticate against an imap server, see mansaslauthd for other options):

START=yes
MECHANISMS="rimap"
MECH_OPTIONS="localhost"

If you are running postfix in a chroot (default for Debian) see /usr/share/doc/sasl2-bin/README.Debian